Nuxeo Security System

The Nuxeo repository security relies on a list of unitary permissions that are used within the repository to grant or deny access. These atomic permissions (Read_Children, Write_Properties ...) are grouped in Permissions Groups (Read, Edit, Everything ...) so that security can be managed more easily.

Nuxeo comes with a default set of permissions and permissions groups but you can contribute yours too.

Contextual Security

In the Nuxeo Platform, security is contextual to a Document inside the repository. There is no notion of a global permission: permissions are always contextual to a content object.

For example:

You can have the "manage" permission to a given folder, workspace, domain or repository.

You can have read access on a specific document.

ACL Model

The main model for security management is based on an ACL (Access Control List) system.

Each document can be associated with an ACP (Access Control Policy). This ACP is composed of a list of ACLs that itself is composed of ACEs (Access Control Entry).

Each ACE is a triplet:

User or Group,

Permission or Permission group,

Grant or deny.

ACPs are by default inherited: security check will be done against the merged ACP from the current document and all its parent. Inheritance can be blocked at any time if necessary.

Each document can be assigned several ACLs (one ACP) in order to better manage separation of concerns between the rules that define security:

The document has a default ACL: The one that can be managed via back-office UI,

The document can have several workflows ACLs: ACLs that are set by workflows including the document.

Thanks to this separation between ACLs, it's easy to have the document return to the right security if workflow is ended.

Permissions Checks

Any access to the repository (including searches) will always enforce permission checks.

The security model being based on the content, in most cases services will simply rely on the repository to do the check on atomic permissions. However, it is also possible to have explicit check, possibly on a dedicated permission.

For higher level services and UI, you usually want to do a pre-check to avoid displaying an action (button, link ...) that the user is not allowed to perform.

Filters are a guard on top of the low level permission check. They are usually defined using a mix of:

permissions checks,

group membership,

document types,

EL expression.

Non Contextual Checks

Sometimes, you may need to do a check globally, without any underlying context. For that there are several options:

Use groups (or virtual groups) to check for a capacity.
This is how we manage global screens in the Nuxeo Platform.
Virtual groups and roles are basically the same.
You can contribute specific virtual groups using the GroupComputer Service.

Use the Role attribute of the Principal.
Via UserManager you can contribute your own principal.